Payroll pirates are conning help desks to steal workers’ identities and redirect paychecks
Summary
In December 2025 Binary Defense’s ARC Labs investigated an incident in which attackers used social engineering against a help desk to steal a physician’s identity and reroute their salary. The criminals first accessed a shared mailbox (likely via previously compromised credentials), identified a target, then phoned the help desk posing as the locked-out employee. The help-desk reset the password and MFA, allowing the attacker to authenticate via the organisation’s virtual desktop infrastructure (VDI), register new devices, access the payroll system (Workday) and change direct-deposit details so paychecks were sent to attacker-controlled accounts.
The intruders deliberately used the company’s own internal infrastructure so logins looked legitimate and bypassed detection. Defenders only discovered the fraud when the physician reported not being paid. Binary Defense stresses this as process and identity exploitation rather than a pure technical hack, urging organisations to treat identity as a privileged asset and payroll changes as high-risk financial events.
Key Points
- Attackers exploited a shared mailbox to harvest identities and target employees for help-desk social engineering.
- A help-desk password and MFA reset allowed the attacker to take over the victim’s account.
- Using the organisation’s VDI made access appear internal and trusted, evading many security detections.
- Once inside, the attacker accessed Workday and changed direct-deposit details to steal paychecks.
- This is identity- and process-driven fraud, not necessarily a network breach — “identity is the new perimeter.”
- Recommended mitigations include stricter help-desk procedures, reducing shared-mailbox exposure, verification for payroll changes, temporary holding periods and treating payroll changes as telemetry for threat detection.
- Lessons from wire-transfer and accounts-payable fraud apply: require confirmations and fraud-review steps for banking detail changes.
Context and relevance
Payroll diversion attacks join business email compromise and impersonation-as-a-service trends. Attackers increasingly favour social engineering and process abuse because it’s often easier and more lucrative than exploiting technical vulnerabilities. For CISOs, HR and payroll teams, this exposes a blind spot: payroll platforms and help-desk workflows are high-value targets that need the same rigour as systems and endpoints. Organisations adopting zero-trust, stronger MFA practices, and stricter change controls for financial data will be best placed to reduce this risk.
Why should I read this?
Short version: if you care about getting paid or running payroll, this is a proper wake-up call. The crooks didn’t crash a firewall — they tricked a human and used your own systems to look legit. Read this so you can fix the bits that actually let them in (help-desk rules, shared mailboxes, and how you approve bank changes). We’ve saved you the time of sifting through the original — take the fixes seriously and pass them on to HR and IT.
Author style
Punchy: this isn’t theoretical — it’s practical, targeted theft that hits employees directly. If you’re responsible for people, payroll or security, treat the detail here as urgent guidance rather than background noise.